Archive for April 8th, 2014

A major vulnerability with the OpenSSL libraries was announced this morning. According to PCWorld, “The flaw, nicknamed ‘Heartbleed’ is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol. The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday [April 7].”

We want to ensure all our customers are aware of this vulnerability so those impacted can take appropriate measures. The following description of Heartbleed is from http://heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

GoGrid has already performed an extensive audit of our environment and has determined that none of our customer-supporting sites—including our management console, wiki, and secure signup—is exposed to this vulnerability.

If you are permitting SSL/TLS traffic to your servers, however, a firewall won’t block against this attack. This is a serious vulnerability with the ability to significantly expose your environment. GoGrid recommends you review the National Vulnerability Database CVE-2014-0160 as soon as possible to determine if the OpenSSL vulnerability applies to your organization and then take corrective action based on your specific security policies, if necessary.

If you’re a software developer, you’ve probably already used open-source code in some of your projects. Until recently, however, people who aren’t software developers probably thought “open source” referred to a new type of bottled water. But all that’s beginning to change. Now you can find open-source versions of everything from Shakespeare to geospatial tools. In fact, the first laptop built almost entirely on open source hardware just hit the market. In the article announcing the new device, Wired noted that, “Open source hardware is beginning to find its own place in the world, not only among hobbyists but inside big companies such as Facebook.”

Why now?

Open source technology has moved from experiment to mainstream partly because the concept itself has matured. Companies that used to zealously guard their proprietary software or hardware may now be building some or all of it on open-source code and even giving back to the relevant communities. Plus repositories like GitHub, Bitbucket, and SourceForge make access to open-source code easy.

In its annual “Future of Open Source Survey,” North Bridge Venture Partners summarized 3 reasons support for open source is broadening:

1. Quality: Thanks to strong community support, the quality of open-source offerings has improved dramatically. They now compete with proprietary or commercial equivalents on features–and can usually be deployed more quickly. Goodbye vendor “lock-in.”